IT Security Still Not Protecting the Right Assets Despite Increased Spending, Reveals New Research From Oracle and CSO Custom Solutions Group

Most IT security resources in today's enterprise are allocated to protecting network assets, even though the majority of enterprises believe a database security breach would be the greatest risk to their business, according to a new report issued by CSO Custom Solutions Group and sponsored by Oracle.

In the survey with 110 companies from industries including Financial Services, Government, High Tech, more than two thirds of IT security resources remain allocated to protecting the network layer, while less than one third of the staff and budget resources were allocated to protecting core infrastructure such as databases and applications.

When comparing the potential damage caused by breaches, most enterprises believed that a database breach would be the most severe as they contain the most vital and valuable information -- intellectual property as well as sensitive customer, employee, and corporate financial data.

An un-balanced and fragmented approach to security has left many organizations' applications and data vulnerable to attacks both internally and externally.

Today's findings underscore the relevance of Oracle's "security inside-out" approach which means focusing attention on the organizations most strategic assets which include databases, applications and users.

Specific Research Findings:

Nearly 66 percent of respondents said they apply a security inside out strategy, where as 35 percent base their strategy on end point protection.

Even with this fundamental belief in strategy, spending does not truly align as more than 67 percent of IT security resources -- including budget and staff time -- remain allocated to protecting the network layer and less than 23 percent of resources were allocated to protecting core systems like servers, applications and databases.

44 percent believed that databases were safe because they were installed deep inside the perimeter.

90 percent report the same or higher, level of spend compared to 12 months prior. The survey shows that 59 percent of participants plan to increase security spending in the next year.

In 35 percent of organizations, security spend was influenced by sensational informational sources rather than real organizational risks.

40 percent of respondents believed that implementing fragmented point solutions created gaps in their security and 42 percent believe that they have more difficulty preventing new attacks than in the past.

Supporting Quote:

"IT Security has to focus attention on the most strategic assets. Organizations can't continue to spend on the wrong risks and secure themselves out of business. When attackers do break through the perimeter, they can take advantage of weak security controls against the core systems by exploiting privileged user access, vulnerable applications, and accounts with excessive access," said Mary Ann Davidson, Chief Security Officer at Oracle. "Organizations have to get the fundamentals right -- which are database security, application security and identity management."

"The results of the survey show that the gap between the threat of severe damage to a database attack versus the resources allocated to protecting the database layer is significant, highlighting the disconnect in how organizations are securing their IT infrastructures," said Tom Schmidt, Managing Editor, CSO Custom Solutions Group.